By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Configuring Bedrock Foundation Model Access in GovCloud: A Step-by-Step Guide

4 minute read
Content level: Foundational
0

Accessing Bedrock foundation models in AWS GovCloud (US) involves a specific process that requires coordination between standard AWS accounts and GovCloud accounts. The key requirement is initiating the access request through a standard AWS account that's linked to your GovCloud account. This article provides a straightforward, step-by-step approach to:

  • Requesting and enabling Bedrock model access
  • Managing model permissions
  • Removing access when no longer needed

Prerequisites

  • An active AWS GovCloud (US) account is required.
  • Appropriate permissions within this account to access the Bedrock console and manage IAM policies.
  • Access to the standard AWS account that is linked to the GovCloud (US) account.

Understanding the Process

For GovCloud (US) region, accessing a foundation model in Amazon Bedrock requires an initial request for access. This involves completing a subscription flow and agreeing to the End User License Agreement (EULA) in the standard AWS regions (us-east-1 or us-west-2). While access can be removed for most models, particular ones such as, Amazon Titan, Amazon Nova, Mistral AI, and Meta Llama 3 Instruct - don't support access removal. For these models, inference calls can be blocked using an IAM policy.

Steps to Request Model Access

This process involves the following steps:

1. Identify the Linked Standard AWS Account:

Note: This information cannot be recovered through AWS Support.

Note: If the linked standard AWS account is already known, proceed directly to Step 2. Otherwise, follow these steps to identify the linked account:

  1. Access AWS GovCloud Support Center:

    • Sign in to the AWS GovCloud (US) account
    • Navigate to AWS Support Center
    • Locate a recent support case

  2. Find Associated Email Address:

    • Review the support case details
    • Identify the email address used when creating the case
    • If the email address has not changed since opening the case, this is the email address associated with the linked standard AWS account.

  3. Access Standard AWS Account:

    • Visit the AWS Management Console (standard)
    • Sign in using the identified email address as the root user
    • Once authenticated, locate the account ID in the AWS console navigation bar

The identified account ID is the standard AWS account linked to the GovCloud (US) account which will be used to initiate the Bedrock subscription process.

2. Request Access via the Bedrock Console:

  • Sign in to your standard AWS account using either the us-east-1 or us-west-2 region.
  • Open the Amazon Bedrock console and navigate to the model access area.
  • Choose the foundation model(s) you want to enable and start the request process by following the on-screen subscription flow.
  • This will essentially grant regional entitlement to access the models in GovCloud.

3. Finalize Access in GovCloud:

  • Return to AWS GovCloud and sign in to the GovCloud (US) account.
  • Switch to the us-gov-west-1 region.
  • Navigate to the Amazon Bedrock console
  • Verify model access and confirm the requested models are available.

Note: It may take a few minutes for the entitlements to propagate from the standard AWS account to GovCloud.

Managing Model Access

Requesting access is the initial step in the process. While access can be removed for most models, some models (Amazon Titan, Amazon Nova, Mistral AI, and Meta Llama 3 Instruct) don't support access removal. For these cases, IAM policies can be used to restrict inference calls.

Example: Denying Inference Access with an IAM Policy

Here's an example of how you might craft an IAM policy to block inference calls to a specific model:

{
  "Version": "2012-10-17",
  "Statement": {
      "Sid": "DenyInference",
      "Effect": "Deny",
      "Action": [
          "bedrock:InvokeModel",
          "bedrock:InvokeModelWithResponseStream",
          "bedrock:CreateModelInvocationJob"
        ],
        "Resource": "arn:aws:bedrock:*::foundation-model/model-id"
    }
}

This policy snippet is designed to deny all inference operations on the specified foundation model. It's a practical way to manage access without having to remove the request entirely for models that don't support that option.

Final Thoughts

This process enables AWS GovCloud (US) customers to effectively manage Amazon Bedrock model access. The key points to remember are:

  • Initial access must be granted through the associated standard AWS account
  • Most models support access removal when needed
  • For models without removal options, IAM policies provide access control
  • Regular review of model access and permissions helps maintain security

Related Information

[+] Add or remove access to Amazon Bedrock foundation models

[+] Finding your associated standard AWS account

[+] To sign in as the root user

[+] Deny access for inference of foundation models

Topics
GovernmentMachine Learning & AIGenerative AI on AWS
Tags
GovernmentAmazon Bedrock
Language
English
AWS
SUPPORT ENGINEER
Ray
published a month ago179 views
No comments

Relevant content